Such as: what data is stored, why and how do you handle it. The AVG sets stricter requirements for privacy and the security of personal data (both online and offline). As of May 25, 2018, all companies within the EU must comply with this strict new law, but what will change?
Who does the AVG/GDPR apply to?
This law is going to apply to any business or organization (within the EU) that processes personal data. Every business has customers, and even just your customer’s name is personal data. But even comments on a blog article, are considered personal data. Some other examples are: e-mail addresses from a mailing list, CVs of job applicants, IP addresses or personnel information.
This does not include data for personal use, such as: birthday calendar, private contacts in your phone / WhatsApp, personal notes.
The five most important changes as of May 25, 2018
Get consent for collection of personal data
Consent must be explicitly requested and thus must not be pre-populated. You often see this in web forms where a checkbox is already pre-ticked. Despite the fact that this has not been allowed for some time, it will now be enforced per May 25, 2018 in terms of legislation.
Provide the option for lifting this permission
A customer should be able to indicate that his/her personal data collection or management is no longer allowed. This could be when someone wants to be removed from a mailing list or when a customer wants to be removed from your records (note that retention requirements apply to invoices).
It is not permitted to collect more than the necessary data
Collect only the data you need. Clearly state what constitutes necessary personal data and why (in what context). You can put this information in the privacy or cookie statement on your website.
Clearly record what personal data is collected
In addition to only collecting necessary data, you must also be able to indicate exactly what data you are collecting. In some cases it will be necessary to be able to demonstrate that per item this consent has been requested and obtained. Thus, it is not allowed to use an “I agree with everything” button.
5. More and better privacy rights
Under the AVG, the following rights apply:
- Right of inspection
- Right to rectification and supplementation
- Right to oblivion
- Right to data portability
- Right to restriction of processing
- Rights regarding automated decision-making and profiling
- Right to object